Accessing the inaccessible: digital forensics at the Dalhousie University Archives Creighton Barrett Dalhousie University Archives Council of Nova Scotia Archives Conference May 11, 2017
Overview Introduction to digital forensics in archival repositories Development of Dalhousie’s digital forensics lab Forensic images Digital forensics tools and workflows Free digital forensics tools Ask questions any time! Digital forensics at the Dalhousie University Archives
What is digital forensics? Forensic science – recovery and investigation of data found in digital storage devices Primarily used in criminal investigations, corporate investigations Archives are adopting digital forensics techniques to support acquisition, accessioning, preservation, and access Acquisition Identification Evaluation Admission Source: Infosec Institute, Digital Forensic Models (January 25, 2016): http://resources.infosecinstitute.com/digital-forensics-models/ Digital forensics at the Dalhousie University Archives
Why have a digital forensics lab? Source: Baker, M. (2017, May 2). Disks back from the dead. Nature, 545 (7652), 117–118. https://doi.org/10.1038/545117a Digital forensics at the Dalhousie University Archives
Why have a digital forensics lab? Archivists are now working with a wide variety of: Digital storage devices Computer file systems, operating systems, and software File formats Digital storage devices are unstable and data is at risk Supports archival mission to preserve authenticity and integrity of records Digital forensics at the Dalhousie University Archives
How are archives doing digital forensics work? Use write-blockers to create forensic images Adopt forensic software (BitCurator or FTK or EnCase) Incorporate digital forensics tools and techniques into core archival functions New policy decisions (e.g., preserve forensic image or extract files?) Archival functions become blurred (e.g., files can be arranged before they are accessioned) Digital forensics at the Dalhousie University Archives
Timeline at Dalhousie February 2016 – Acquire forensic workstation May – November 2016 – Digital archives collection assessment project: http://hdl.handle.net/10222/72663 January 2017 – Install BitCurator and Forensic Toolkit (FTK) software February 2017 – Advanced computer forensics training May 2017 – Launch digital forensics lab April 2017 – Dal’s first time at BitCurator Users Forum Digital forensics at the Dalhousie University Archives
Digital forensics at the Dalhousie University Archives
Components of Digital Forensics Lab Forensic tower Dual Intel Xeon processors 64 GB RAM Tableau T35689iu write-blocker AFT EX-S3 forensic card reader FTK software BitCurator software Digital forensics at the Dalhousie University Archives
Forensic images
What is a forensic image? Complete (i.e., bit-level) copy of a hard drive or other digital storage media Includes unallocated space and slack space Includes operating system and file system Includes computer registry files, browser history, and other contextual information about how the computer was used Includes all files on the hard drive Digital forensics at the Dalhousie University Archives
Preserve information about the operating system and file system Source: Power Data Recovery: The Volume does not contain a recognized file system – how to fix : https://www.powerdatarecovery.com/hard-drive-recovery/volume-not-contain-recognized-file-system.html Digital forensics at the Dalhousie University Archives
Preserve data in slack space / unallocated space Overwrite zero with one = more like 0.95 Overwrite one with one = more like 1.05 Normal equipment will read both values as a one Digital forensics equipment makes it possible to determine what data exists in “slack space” and “unallocated space.” Digital forensics at the Dalhousie University Archives
Some differences between forensic and logical images Forensic image Logical image Recovers operating system and file system Does not recover operating system and file system Potential for password recovery, decryption, etc. Almost no potential for password recovery, decryption, etc. Recover Internet search queries and form data Cannot recover Internet search queries and form data Size of entire hard drive, regardless of how many files are stored Size of files on hard drive Digital forensics at the Dalhousie University Archives
Digital forensics tools
Digital forensics at the Dalhousie University Archives
Digital forensics at the Dalhousie University Archives
Digital forensics at the Dalhousie University Archives
Digital forensics at the Dalhousie University Archives
Digital forensics workflows
Abstract digital forensics model Identification Preparation Approach Strategy Preservation Collection Examination Analysis Presentation Returning Evidence Source: Infosec Institute, Digital Forensic Models (January 25, 2016): http://resources.infosecinstitute.com/digital-forensics-models/ Digital forensics at the Dalhousie University Archives
Penn State University workflow Digital forensics at the Dalhousie University Archives
Dalhousie University workflow (draft) Very premature Does not factor staffing, roles and responsibilities, etc. Relates to other workflows in development (e.g., acquisitions, accessioning) Digital forensics at the Dalhousie University Archives
Forensic imaging workflow (BitCurator) Digital forensics at the Dalhousie University Archives
Identify privacy concerns Digital forensics at the Dalhousie University Archives
Bill Freedman fonds filtered in FTK Description # of files Size Unfiltered All files in case 26,651,084 3,568 GB Primary status Duplicate File indicator IS “Primary” 731,417 83.48 GB Secondary status Duplicate File indicator IS “Secondary” 16,569,218 271.5 GB KFF Ignore Match all files where KFF status IS “Ignore” 2,548,119 44.29 GB No KFF Ignore Match all files where KFF status IS NOT “Ignore” + KFF status IS “Not checked” 24,102,965 3524 GB Primary status + No KFF Ignore Match all files where duplicate file indicator IS “Primary” + KFF status IS NOT “Ignore” 626,351 71.95 GB Actual files + Primary status + No KFF Ignore Match all disk-bound files where duplicate file indicator IS “Primary” + KFF status IS NOT “Ignore” 103,412 61.81 GB Digital forensics at the Dalhousie University Archives
Free digital forensics tools and resources – FTK Imager, BitCurator, and SleuthKit
FTK Imager (free download) Create forensic images of source media Intended for use with hardware write blocker Preview, triage, and image Export, hash, convert Preview data Triage Create forensic images Export Hash Convert Digital forensics at the Dalhousie University Archives
FTK Imager (free download) Imaging tool – create forensic images of mounted Preview tool – preview evidence to determine if further analysis is needed Export tool – quickly select and export files prior to performing full analysis of the disk image FTK Imager can open mounted drive, contents of a folder, or a forensic image FTK Imager cannot create image of a networked drive Digital forensics at the Dalhousie University Archives
FTK Imager – Create Image Digital forensics at the Dalhousie University Archives
SleuthKit + Autopsy Images source: https://www.sleuthkit.org/ Digital forensics at the Dalhousie University Archives
SleuthKit + Autopsy SleuthKit is a collection of command line tools to investigate disk images Tools support the analysis of volume and file system data Autopsy is graphical user interface to SleuthKit and other digital forensics tools Digital forensics at the Dalhousie University Archives
Free resources Forensics wiki: http://forensicswiki.org/wiki/Main_Page List of digital forensics tools: https://en.wikipedia.org/wiki/List_of_digital_forensics_t ools BitCurator wiki: https://wiki.bitcurator.net/index.php?title=Main_Page Digital forensics at the Dalhousie University Archives